Skip to content

Subject lines are not HTML-escaped #46

paulschreiber opened this Issue Aug 23, 2012 · 1 comment

2 participants


Subject lines are not HTML-escaped. If your subject line is

Hello <world>

You will see:


Here's the HTML letter_opener generates:

<dd><strong>Hello <world></strong></dd>

Looks like this is an easy fix in the erb:

<dd><strong><%= mail.subject %></strong></dd>

Change to:

<dd><strong><%= h mail.subject %></strong></dd>
@ryanb ryanb closed this in 5415538 Oct 1, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.